b"Office\xc2\xa0of\xc2\xa0Inspector\xc2\xa0General\xc2\xa0\xc2\xa0\n\n\n\n\n         Review of the FMC\xe2\x80\x99s\n  FY 2010 Privacy and Data Protection\n\n               A11-01A\n\n\n\n\n            November 2010\n\n\nFEDERAL MARITIME COMMISSION\n\x0c                              FEDERAL MARITIME COMMISSION\n                                 800 North Capitol Street, N.W.\n                                    Washington, DC 20573\n\n                                      November 8, 2010\n\nOffice of Inspector General\n\n\n\nTO:              Chairman Richard A. Lidinsky\n                 Commissioner Joseph E. Brennan\n                 Commissioner Rebecca F. Dye\n                 Commissioner Michael A. Khouri\n\n\nFROM:            /Adam R. Trzeciak/\n                 Inspector General\n\nSUBJECT:         OIG Report on Privacy and Data Protection\n\n\nThe Office of Inspector General (OIG) performed a review of privacy and data protection\npolicies and procedures to determine if the Federal Maritime Commission (FMC) is\ncomplying with Section 522 of the Consolidated Appropriations Act, 2005, (42 U.S.C.A.\n\xc2\xa7 2000ee-2).\n\nSection 522 requires an independent third-party review of agency use of personally\nidentifiable information (PII) and of its privacy and data protection policies and\nprocedures at least every two years. PII is information which can be used to distinguish\nor trace an individual's identity, such as their name, social security number, biometric\nrecords, etc., alone, or when combined with other personal or identifying information\nwhich is linked or linkable to a specific individual, such as date and place of birth,\nmother\xe2\x80\x99s maiden name, etc. This evaluation satisfies the required third-party review.\n\nThe FMC has made progress in implementing privacy and data protection practices since\nour 2008 review. For example, it updated its Incident Response Policy to include breach-\nrelated procedures, prepared draft privacy impact assessment (PIA) policies and\ntemplates and completed select PIAs. The Senior Agency Official for Privacy has taken\na more active role in data protection activities and the agency\xe2\x80\x99s annual security awareness\ntraining includes sections on privacy and data protection.\n\nWe also noted areas where improvements are possible. The agency needs to finalize its\npolicies and procedures and perform federally-required PIAs on all agency systems that\nrequire a PIA. Further the agency has not performed a risk assessment for FMC-18 (on-\nline license application form) and there is no assurance that appropriate controls have\nbeen implemented.\n\x0cThe OIG met with management who generally concurs with our findings and\nrecommendations. Management comments are attached to this report.\n\nThe OIG wishes to thank the Privacy Act Officer, the Senior Agency Official for Privacy and the\nChief Information Officer for their assistance. I am available at your convenience to discuss the\nreport\xe2\x80\x99s findings and recommendations.\n\n\ncc:     Ronald Murphy, Managing Director\n        Karen Gregory, Secretary\n        Anthony Haywood, Chief Information Officer\n\n\n\n\n                                              -2-\n\x0c   Privacy and Data Protection Evaluation Report\n\n\n\n\n            Office of the Inspector General\n   Review of the Federal Maritime Commission\xe2\x80\x99s\n                 Implementation of the\nFederal Information Security Management Act (FISMA)\n                  For Fiscal Year 2010\n\n\n\n                 November 8, 2010\n\x0c                                               TABLE OF CONTENTS\n\nEXECUTIVE\xc2\xa0SUMMARY\xc2\xa0.........................................................................................\xc2\xa0i\xc2\xa0\n\nINTRODUCTION\xc2\xa0..................................................................................................\xc2\xa01\xc2\xa0\n\nBACKGROUND\xc2\xa0....................................................................................................\xc2\xa01\xc2\xa0\n\nOBJECTIVES,\xc2\xa0SCOPE\xc2\xa0AND\xc2\xa0METHODOLOGY\xc2\xa0...........................................................\xc2\xa02\xc2\xa0\n\nDETAILED\xc2\xa0FINDINGS\xc2\xa0AND\xc2\xa0RECOMMENDATIONS\xc2\xa0.................................................\xc2\xa03\xc2\xa0\n  FISMA\xc2\xa0REPORTING\xc2\xa0....................................................................................................\xc2\xa04\xc2\xa0\n     Finding\xc2\xa0#1\xc2\xa0\xe2\x80\x93\xc2\xa0The\xc2\xa0FMC\xc2\xa0Does\xc2\xa0Not\xc2\xa0Fully\xc2\xa0Comply\xc2\xa0with\xc2\xa0OMB\xc2\xa0Memorandum\xc2\xa0M\xe2\x80\x9003\xe2\x80\x9022\xc2\xa0.................\xc2\xa04\xc2\xa0\n  \xc2\xa0\n  OMB\xc2\xa0MEMORANDUM\xc2\xa0M\xe2\x80\x9007\xe2\x80\x9016\xc2\xa0.................................................................................\xc2\xa05\xc2\xa0\n     Finding\xc2\xa0#2\xc2\xa0\xe2\x80\x93\xc2\xa0The\xc2\xa0FMC\xc2\xa0Does\xc2\xa0Not\xc2\xa0Fully\xc2\xa0Comply\xc2\xa0with\xc2\xa0Security\xc2\xa0Requirements\xc2\xa0of\xc2\xa0OMB\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n     Memorandum\xc2\xa0M\xe2\x80\x9007\xe2\x80\x9016\xc2\xa0...........................................................................................................\xc2\xa05\xc2\xa0\n\n\n\n\n                                                        i                                                         November 8, 2010\n\x0c                                                    Privacy and Data Protection Evaluation Report\n\n\nEXECUTIVE SUMMARY\nSection 522 of the Consolidated Appropriations Act, 2005 (42 U.S.C.A. \xc2\xa7 2000ee-2) (Section\n522) requires an independent third-party review of agency use of personally identifiable\ninformation (PII) and of its privacy and data protection policies and procedures at least every two\nyears. OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of\nPersonally Identifiable Information, defines PII as \xe2\x80\x9cinformation which can be used to distinguish\nor trace an individual's identity, such as their name, social security number, biometric records,\netc. alone, or when combined with other personal or identifying information which is linked or\nlinkable to a specific individual, such as date and place of birth, mother\xe2\x80\x99s maiden name, etc.\xe2\x80\x9d\nThis review satisfies the required third-party review.\nWhile the FMC has made progress in implementing privacy and data protection practices,\nadditional work is still necessary to ensure that controls around PII in both paper and electronic\nform are implemented. Our findings and recommendations are summarized on the chart below.\n\n Finding                     Recommendation\n #1 \xe2\x80\x93 The FMC does not       1. Develop and implement policies and procedures to require\n fully comply with OMB           privacy impact assessments (PIA) to be completed for each\n Memorandum M-03-22,             applicable information system.\n Implementing the\n Privacy Provision of the\n E-Government Act of\n 2002.\n #2 \xe2\x80\x93 The FMC does not       2. Remove the FMC-18 (Form-18) PIA from the publicly\n fully comply with              accessible web that incorrectly states, \xe2\x80\x9cA risk assessment has\n security requirements of       been conducted and the appropriate controls have been\n OMB Memorandum                 implemented\xe2\x80\x9d as no authorization (formerly Certification &\n M-07-16, Safeguarding          Accreditation (C&A)) package was created for this system.\n Against and Responding      3.   Create a planning document for multifactor authentication\n to the Breach of                 that correlates with the IT capital planning and investment\n Personally Identifiable          control process. Utilize multifactor authentication for remote\n Information.                     authentication for FMC systems to authenticate users\xe2\x80\x99\n                                  identities for Level 3 and Level 4 users in accordance with\n                                  National Institute of Standards and Technology (NIST)\n                                  800-63.\n                             4. Create policies and/or procedures to log, verify and reassess\n                                data extracts from database holding sensitive information after\n                                90 days.\n\n\n\n\n                                          i                                          November 8, 2010\n\x0c                                                   Privacy and Data Protection Evaluation Report\n\n\nINTRODUCTION\n\nThe Office of Inspector General (OIG) of the Federal Maritime Commission (FMC) contracted\nwith Richard S. Carson & Associates to conduct a review of privacy and data protection policies\nand procedures and, specifically, to determine if the FMC is complying with Section 522 of the\nConsolidated Appropriations Act of 2005. The review was conducted using the Federal\nInformation Security Management Act of 2002 (FISMA), Reporting Section D \xe2\x80\x93 Template for\nthe Senior Agency Official for Privacy (SAOP) and Office of Management and Budget (OMB)\nMemorandum        M-07-16, Safeguarding Against and Responding to Breach of Personally\nIdentifiable Information. This report is organized into the following sections:\n\n   \xe2\x80\xa2   Background\n   \xe2\x80\xa2   Objectives, Scope and Methodology\n   \xe2\x80\xa2   Detailed Findings and Recommendations\n\nBACKGROUND\n\nThe Federal Maritime Commission was established as an independent regulatory agency by\nReorganization Plan No. 7, effective August 12, 1961. The principle statutes or statutory\nprovisions administered by the Commission are the Shipping Act of 1984; the Foreign Shipping\nPractices Act of 1988; Section 19 of the Merchant Marine Act, 1920; and Public Law 89-777.\nMost of these statutes were amended by the Ocean Shipping Reform Act of 1998, which took\neffect on May 1, 1999.\nThe Federal Maritime Commission:\n\n   \xe2\x80\xa2   Monitors activities of ocean common carriers, marine terminal operators, conferences,\n       ports, and ocean transportation intermediaries (OTI) that operate in U.S. foreign\n       commerce to ensure they maintain just and reasonable practices.\n\n   \xe2\x80\xa2   Maintains a trade monitoring and enforcement program designed to assist regulated\n       entities in achieving compliance and to detect and appropriately remedy malpractices and\n       violations set forth in Section 10 of the Shipping Act.\n\n   \xe2\x80\xa2   Monitors the laws and practices of foreign governments that could have a discriminatory\n       or otherwise adverse impact on shipping conditions in the U.S.\n\n   \xe2\x80\xa2   Enforces special regulatory requirements applicable to ocean common carriers owned or\n       controlled by foreign governments (controlled carriers).\n\n   \xe2\x80\xa2   Processes and reviews agreements and service contracts.\n\n   \xe2\x80\xa2   Reviews common carriers\xe2\x80\x99 privately published tariff systems for accessibility and\n       accuracy.\n\n\n\n\n                                               1                                  November 8, 2010\n\x0c                                                     Privacy and Data Protection Evaluation Report\n\n\n   \xe2\x80\xa2   Issues licenses to qualified OTIs in the U.S. and ensures each maintains evidence of\n       financial responsibility.\n\n\nOBJECTIVES, SCOPE AND METHODOLOGY\nRichard S. Carson & Associates, under contract to the FMC/OIG conducted a review of privacy\nand data protection policies and procedures to determine if the FMC is complying with the\nfollowing:\n   1. Federal Information Security Management Act of 2002, Reporting Section D \xe2\x80\x93 Template\n      for the Senior Agency Official for Privacy (SAOP), which is based on privacy-related\n      laws and regulations, including the Privacy Act of 1974 and the E-Government Act of\n      2002, (Public Law 107-347, 44 U.S.C. Ch 36).\n   2. Office of Management and Budget Memorandum M-07-16\nTo accomplish the review objectives, security specialists conducted interviews with the FMC\nOffice of the Secretary, including the Assistant Secretary; Office of the Managing Director staff,\nincluding the Chief Information Officer and the Senior Agency Official for Privacy; Office of\nInformation Technology staff, including the Director of Information Technology and the Senior\nInformation System Security Officer; as well as the Office of the General Counsel and other\nFMC personnel.\nThe team reviewed documentation provided by the FMC, including policies and procedures,\nprivacy impact assessments and privacy-related policies.\nAll analyses were performed in accordance with the following guidance:\n   \xe2\x80\xa2   Privacy Act of 1974\n   \xe2\x80\xa2   Section 522 of the Consolidated Appropriations Act, 2005 (42 U.S.C.A. \xc2\xa7 2000ee-2)\n   \xe2\x80\xa2   Federal Information Security Management Act of 2002 (Public Law 107-347)\n   \xe2\x80\xa2   OMB Memorandum M-03-18, Implementation of E-Government Act of 2002\n   \xe2\x80\xa2   OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions\n       of the E-Government Act of 2002\n   \xe2\x80\xa2   OMB Memorandum M-05-08, Designation of Senior Agency Officials for Privacy\n   \xe2\x80\xa2   OMB Memorandum M-06-16, Protection of Sensitive Agency Information\n   \xe2\x80\xa2   OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable\n       Information and Incorporating the Cost for Security in Agency Information Technology\n       Investments\n   \xe2\x80\xa2   OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of\n       Personally Identifiable Information\n\n\n\n                                                 2                                   November 8, 2010\n\x0c                                                   Privacy and Data Protection Evaluation Report\n\n\n   \xe2\x80\xa2   OMB Memorandum M-07-18, Ensuring New Acquisitions Include Common Security\n       Configurations\n   \xe2\x80\xa2   OMB Memorandum M-08-09, New FISMA Privacy Reporting Requirements for FY 2008\n   \xe2\x80\xa2   OMB Memorandum M-10-15, FY 2010 Reporting Instructions for the Federal\n       Information Security Management Act and Agency Privacy Management\n   \xe2\x80\xa2   Federal Information Processing Standards Publication (FIPS PUB) 199, Standards for\n       Security Categorization of Federal Information and Information Systems\n   \xe2\x80\xa2   FIPS PUB 200, Minimum Security Requirements for Federal Information and\n       Information Systems\n   \xe2\x80\xa2   FIPS PUB 201, Personal Identity Verification (PIV) of Federal Employees and\n       Contractors\n   \xe2\x80\xa2   The E-Government Act of 2002, Section 208, HR 2458\n   \xe2\x80\xa2   National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60,\n       Guide for Mapping Types of Information and Information Systems to Security Categories,\n       Volumes I & II\n   \xe2\x80\xa2   NIST SP 800-63, Electronic Authentication Guideline\n   \xe2\x80\xa2   OMB Circular A-130, Management of Federal Information Resources, Appendix I,\n       Federal Agency Responsibilities for Maintaining Records About Individuals\n   \xe2\x80\xa2   Consolidated Appropriations Act, 2005 (Public Law 108-447)\n   \xe2\x80\xa2   FMC/OIG audit guidance\n   \xe2\x80\xa2   FMC policies and procedures\n\nFieldwork was conducted between July 7 and August 31, 2010, at the FMC Headquarters in\nWashington, DC.\n\n\nDETAILED FINDINGS AND RECOMMENDATIONS\nThe FMC has made progress in its privacy and data protection program in the last year, including\nthe following:\n\n   \xe2\x80\xa2   Reviewing the System of Records and updating the Systems of Records Notice\n\n   \xe2\x80\xa2   Documenting Privacy Impact Assessment (PIA) policies and templates currently under\n       review by the Office of General Counsel\n\n   \xe2\x80\xa2   Involving the SAOP in numerous privacy and data protection-related activities\n\n\n\n\n                                               3                                  November 8, 2010\n\x0c                                                   Privacy and Data Protection Evaluation Report\n\n\n   \xe2\x80\xa2   Conducting annual security awareness training that includes sections on privacy and data\n       protection\nWhile the FMC has made improvements in its privacy and data protection program, the security\nteam has noted weaknesses in the program. These are documented below.\n\n\nFISMA Reporting\n\nFinding #1 \xe2\x80\x93 The FMC Does Not Fully Comply with OMB Memorandum M-03-22\nOffice of Management and Budget Memorandum M-03-22, OMB Guidance for\nImplementing the Privacy Provisions of the E-Government Act of 2002, requires the following\nactions on the part of federal agencies:\n\n   \xe2\x80\xa2   Conduct privacy impact assessments for electronic information systems and collections\n       and, in general, make them publicly available.\n\n   \xe2\x80\xa2   Post privacy policies on agency websites used by the public.\n\n   \xe2\x80\xa2   Translate privacy policies into a standardized, machine-readable format.\n\n   \xe2\x80\xa2   Report annually to OMB on compliance with Section 208 of the E-Government Act of\n       2002 (now covered by FISMA).\n\n\nThe FMC performed a Privacy Impact Assessment review and created a PIA template. As\ndefined by OMB Memorandum M-03-22, a PIA is an analysis of how information is handled: (i)\nto ensure handling conforms to applicable legal, regulatory, and policy requirements regarding\nprivacy, (ii) to determine the risks and effects of collecting, maintaining and disseminating\ninformation in identifiable form in an electronic information system, and (iii) to examine and\nevaluate protections and alternative processes for handling information to mitigate potential\nprivacy risks. While FMC has a draft privacy policy and associated procedure to require and\nprovide guidance for conducting PIAs on all electronic information systems they have not been\nsigned. PIAs were not completed for all FMC systems that require a PIA. For example, Form-18\nhad a completed PIA; however, Consumer Affairs & Dispute Resolution Services system did\nnot.\nWithout properly assessing and documenting the data within each information system, the FMC\ncannot ensure that privacy information is handled in a manner that maximizes both privacy and\nsecurity.\nThe SAOP informed the OIG that due to the small size and early-stage development of FISMA\ncompliance mechanisms, the SAOP did not previously have PIA policies. Per discussions with\nthe SAOP, the PIA policy has been written and is under review by the General Counsel.\nManagement agrees with our recommendation and will complete all PIAs by May 30, 2011.\n\n\n\n\n                                               4                                  November 8, 2010\n\x0c                                                     Privacy and Data Protection Evaluation Report\n\n\nRecommendations\n   1. Formally implement policies and procedures to require PIAs to be completed for each\n      applicable information system.\n\n\nOMB Memorandum M-07-16\n\nFinding #2 \xe2\x80\x93 The FMC Does Not Fully Comply with Security Requirements of OMB\n             Memorandum M-07-16\nOMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of\nPersonally Identifiable Information, requires agencies to:\n\n    \xe2\x80\xa2 Encrypt all data on mobile computers/devices carrying agency data\n\n    \xe2\x80\xa2 Employ two-factor remote access authentication\n\n    \xe2\x80\xa2 Require the session or device used to perform remote access to FMC networks to time\n      out after 30-minute inactivity\n\n    \xe2\x80\xa2 Log and verify all computer-readable data extracts from databases holding sensitive\n      information\n\n    \xe2\x80\xa2   Require all individuals with authorized access to PII and their supervisors to sign, at least\n        annually, a document clearly describing their responsibilities to ensure their\n        understanding of their responsibilities\nFurthermore, the following security requirements should be implemented as a foundation to\nensure PII is protected:\n\n    a. Assign an impact level to all information and information systems. Agencies must follow\nthe processes outlined in Federal Information Processing Standard (FIPS) 199, Standards for\nSecurity Categorization of Federal Information and Information Systems, to categorize all\ninformation and information systems according to the standard\xe2\x80\x99s three levels of impact (i.e., low,\nmoderate, or high). Agencies should generally consider categorizing sensitive personally\nidentifiable information (and information systems within which such information resides) as\nmoderate or high impact.\n    b. Implement minimum security requirements and controls. For each of the impact levels\nidentified above, agencies must implement the minimum security requirements and minimum\n(baseline) security controls set forth in FIPS 200, Minimum Security Requirements for Federal\nInformation and Information Systems, and NIST Special Publication 800-53, Recommended\nSecurity Controls for Federal Information Systems, respectively.\n    c. Certify and accredit information systems. Agencies must certify and accredit (C&A) all\ninformation systems supporting the operations and assets of the agency. The specific procedures\nfor conducting C&A are set out in NIST Special Publication 800-37, Guide for the Security\n\n\n                                                 5                                    November 8, 2010\n\x0c                                                                             Privacy and Data Protection Evaluation Report\n\n\nCertification and Accreditation of Federal Information Systems, and include guidance for\ncontinuous monitoring of certain security controls. Agencies\xe2\x80\x99 continuous monitoring should\nassess a subset of the management, operational, and technical controls used to safeguard such\ninformation (e.g., Privacy Impact Assessments).\n    d. Train employees. Agencies must initially train employees (including managers) on their\nprivacy and security responsibilities before permitting access to agency information and\ninformation systems. Thereafter, agencies must provide at least annual refresher training to\nensure employees continue to understand their responsibilities. Additional or advanced training\nshould also be provided commensurate with increased responsibilities or change in duties.\nNIST Special Publication (SP) 800-63, Electronic Authentication Guideline, April 2006,\nstates that authentication systems are often categorized by the number of factors that they\nincorporate. Authentication is generally required to access secure data or enter a secure area.\nThe requestor for access or entry shall authenticate her or himself based on proving authentically\nher or his identify by means of:\n\n      \xe2\x80\xa2     What the requestor individually knows as a secret, such as a password; or\n      \xe2\x80\xa2     What the requesting owner uniquely has, such as a physical token or an ID-card; or\n      \xe2\x80\xa2     What the requesting bearer individually is, such as biometric data, like a fingerprint.\n\nMultifactor authentication is a common term used to describe authentication methods that\nemploy two or more factors to authenticate or validate the identity of a user. Some systems\nrequire three factor authentication; specifically those systems that process, store, or transmit\ninformation with the highest levels of sensitivity. Systems with this level of sensitivity have\nbeen categorized at the \xe2\x80\x9cHigh\xe2\x80\x9d level for data confidentiality. Systems that have been categorized\nat the \xe2\x80\x9cModerate\xe2\x80\x9d level may only require two-factor authentication.\nTwo-factor authentication uses any two authentication methods (e.g., password plus value from\nphysical token) to increase the assurance that the bearer has been authorized to access secure\nsystems. For example, the owner of secure data or the operator of such secure systems may\nimplement two-factor authentication on laptops because of the inherent security risks in mobile\ncomputers.\nThrough observation of configuration settings, interviews, and reviews of documentation, the\nOIG noted the following weaknesses:\n\n      \xe2\x80\xa2     A risk assessment has not been conducted for FMC-18 and there is no assurance that\n            appropriate controls have been implemented since no accreditation (formerly C&A)\n            package was completed for FMC-18 (Form-18). Additionally, the FMC-18 PIA, which is\n            posted on the web, incorrectly states, \xe2\x80\x9cA risk assessment has been conducted and the\n            appropriate controls have been implemented.\xe2\x80\x9d\n\n      \xe2\x80\xa2     The FMC Secure Socket Layer 1 Virtual Private Network 2 only utilizes one-factor\n            authentication via username and password. Therefore the remote authentication process\n1\n    Secure Sockets Layer, is a cryptographic protocol that provides security for communications over networks such as the Internet.\n\nFootnote continues on next page.\n\n\n                                                                         6                                                   November 8, 2010\n\x0c                                                                          Privacy and Data Protection Evaluation Report\n\n\n          is missing a second factor such as something a user has or something a user is (i.e.\n          biometric) to validate identity. Further, FMC policy does not define requirements for\n          multifactor authentication for NIST 800-63 Level 3 and Level 4 systems.\n\n     \xe2\x80\xa2    No policies or procedures have been created or implemented to log, verify and reassess\n          data extracts from databases holding sensitive information after 90 days due to budgetary\n          constraints.\nWithout implementing the technical security considerations of OMB Memorandum M-07-16, the\nFMC cannot ensure OMB compliance and privacy data may be at risk for unauthorized\nexposure.\n\n\nRecommendations\n     2. Remove the FMC-18 (Form-18) PIA from the publicly accessible web that incorrectly\n        states, \xe2\x80\x9cA risk assessment has been conducted and the appropriate controls have been\n        implemented\xe2\x80\x9d as no authorization (formerly C&A) package was created for this system.\n     3. Create a planning document for multifactor authentication that correlates with the IT\n        capital planning and investment control process. Utilize multifactor authentication for\n        remote authentication for FMC systems to authenticate users\xe2\x80\x99 identities for Level 3 and\n        Level 4 users in accordance with NIST 800-63.\n     4. Create policies and/or procedures to log, verify and reassess data extracts from databases\n        holding sensitive information after 90 days.\n\n\n\n\n2\n  A Virtual Private Network encapsulates data transfers between two or more networked devices which are not on the same private network to\nkeep the transferred data private from other devices on one or more intervening local or wide area networks.\n\n\n\n\n                                                                     7                                                  November 8, 2010\n\x0c                                  Memorandum\nTO          : Inspector General                               DATE: October 20, 2010\n\n\nFROM        : Senior Agency Official for Privacy (SAOP)\n\n\nSUBJECT     : Comments on Review of FY 2010 Privacy Independent Evaluation\n\n\n          We have reviewed the recommendations in the instant Draft Report. Below are our\n     comments regarding said recommendations.\n\n     Finding #1: FMC does not fully comply with OMB M-07-16\n\n\n     Recommendation #1. Complete Privacy Impact Assessments (PIA) assessments for all\n     FMC systems that require a PIA.\n             Response: We concur in the recommendation. The SAOP has recently developed new\n     PIA Procedures and plans to use the new procedures/template to evaluate all systems, but most\n     particularly systems containing personally identifiable information. We would intend that the\n     PIAs be accomplished by May 30, 2011.\n\n\n     Recommendation #2. Remove the FMC-18 (Form-18) PIA from the publicly accessible\n     web that incorrectly states \xe2\x80\x9cA risk assessment has been conducted and the appropriate\n     controls have been implemented\xe2\x80\x9d as no authorization (formerly C&A) package was created\n     for this system.\n            Response: The inaccurate language has been removed from the PIA, and the updated\n     version will be posted to the FMC website. We feel that the necessary security controls,\n     although not documented, are in place to allow for the functionality of the FMC-18 system.\n\n\n     Recommendation #3. Create a planning document for multifactor authentication that\n     correlates with the IT capital planning and investment control process. Utilize multifactor\n     authentication for remote authentication for FMC systems to authenticate users\xe2\x80\x99 identities\n     for Level 3 and Level 4 users in accordance with NIST 800-63.\n            Response: FMC will determine which systems, if any, require multifactor authentication\n     and take necessary steps thereafter.\n\x0cRecommendation #4. Create policies and/or procedures to log, verify, and reassess data\nextracts from databases holding sensitive information after 90 days.\n\n\n      Response: This recommendation will be addressed by the contractor conducting the\nForm FMC-18 System Upgrade during FY 11, pending availability of funds.\n\n\n\n\n                                         /Ronald D. Murphy/\n                                         Senior Agency Official for Privacy\n\nAttachment\ncc:   Privacy Act Officer\n      Chief Information Officer\n      Director, Office of Information Technology\n\x0c"